XPath injection occurs when an XML document is used for data storage in a manner similar to a relational database. This attack is similar to SQL injection or XML injection (see the appropriate parts of IDS00-J. Sanitize untrusted data passed across a trust boundary) wherein an attacker can enter valid SQL or XML constructs in the data fields of the query in use. Typically, the conditional field of the query resolves to a tautology or gives the attacker access to privileged information. This guideline is a specific example of the broadly scoped IDS52IDS51-JJG. Prevent code injection.
XML Path Injection Example
...
- Treat all user input as untrusted and perform appropriate sanitization.
- When sanitizing user input, verify the correctness of the data type, length, format, and content. For example, use a regular expression that checks for XML tags and special characters in user input. This corresponds to input sanitization. See IDS52IDS51-JJG. Prevent code injection for additional details.
- In a client-server application, perform validation at both the client and the server side.
- Extensively test applications that supply, propagate, or use accept user input.
An effective technique for preventing the related issue of SQL injection is parameterization, whereby user-specified data is passed to an API as a parameter, thus ensuring that user-specified data is never interpreted as executable logic. Unfortunately, Java SE currently lacks an analogous interface for XPath queries. SQL parameterization can be emulated by using an interface (such as XQuery) that supports specifying a query statement in a separate file that is supplied at runtime.
...